How to Protect Attorney-Client Privilege When Recording Meetings

What Is Attorney-Client Privilege?

Attorney-client privilege is one of the oldest recognized privileges in Anglo-American common law, dating back to the Elizabethan era in the sixteenth century. At its core, the privilege protects confidential communications between a client and their attorney made for the purpose of seeking or providing legal advice. It exists to encourage full and frank communication between lawyers and their clients so that legal counsel can be as effective as possible.

For the privilege to attach, four conditions must generally be met: (1) a communication must occur between a client and an attorney, (2) the attorney must be acting in a professional legal capacity, (3) the communication must be made in confidence, and (4) the purpose of the communication must be to seek or provide legal advice. The privilege belongs to the client—not the attorney—and only the client can waive it.

The critical concept here is the "reasonable expectation of confidentiality" standard. For the privilege to hold, the client must have a reasonable belief that the communication will remain confidential. This means the communication cannot be made in the presence of unnecessary third parties, and the attorney must take reasonable steps to protect the confidentiality of the information shared.

Waiver of attorney-client privilege can be express (the client deliberately discloses the communication) or implied (the client acts in a way that is inconsistent with maintaining confidentiality). Crucially, implied waiver can happen even without the client's knowledge or intent. If a third party gains access to a privileged communication because the attorney failed to take adequate precautions, a court may find that the privilege has been waived. This is where technology choices become critically important.

How Cloud Meeting Recorders Can Waive Privilege

Most popular meeting recorders—Otter.ai, Fireflies, Grain, Read AI, and others—operate on a cloud-first model. When you record a meeting, the audio is uploaded to the provider's servers for transcription, summarization, and storage. This architecture creates several distinct risks to attorney-client privilege.

The Third-Party Doctrine

Under the third-party doctrine, information voluntarily disclosed to a third party loses its reasonable expectation of privacy. When a cloud recording service processes your privileged conversations, the audio content is transmitted to and stored on servers controlled by a company that is neither the attorney nor the client. The recording provider's employees, subcontractors, and AI systems may access this data during normal operations—for quality assurance, model training, debugging, or feature development.

Courts have historically held that sharing privileged information with unnecessary third parties can constitute a waiver of the privilege. While there is ongoing legal debate about whether cloud service providers are the equivalent of a "necessary agent" like a translator or legal secretary, the law remains unsettled. A court could determine that voluntarily uploading a privileged conversation to a third-party cloud service constitutes implied waiver—particularly if the provider's terms of service grant them broad rights to use or access the data.

Subpoena Exposure

When privileged recordings exist on a cloud provider's servers, opposing counsel can subpoena the provider directly. Even if you would have grounds to assert privilege, you may not receive notice of the subpoena in time to object. Cloud providers typically have compliance teams that respond to legal process, and their obligations to their users may conflict with their legal duty to comply with valid subpoenas. The result: your privileged communications could be disclosed to opposing counsel before you even know about the request.

Data Breach Risk

Cloud platforms are high-value targets for cyberattacks. A data breach affecting a recording provider could expose privileged communications for thousands of attorneys simultaneously. While a breach alone may not automatically waive privilege, it creates a disclosure event that complicates privilege assertions and may require disclosure to affected clients, bar associations, and in some jurisdictions, courts.

Meeting Bots as Third Parties

Many cloud recording tools operate by injecting a "bot" participant into your Zoom, Teams, or Google Meet calls. This bot joins the meeting as a visible attendee, captures the audio stream, and transmits it to the cloud. From a privilege standpoint, this bot is effectively a third party in the room—one controlled by an external company, transmitting everything said to external servers. Opposing counsel could argue that allowing a third-party recording bot into a privileged conversation demonstrates a lack of intent to maintain confidentiality, thereby waiving the privilege.

ABA Rule 1.6 and the Duty of Technology Competence

The American Bar Association's Model Rules of Professional Conduct impose specific obligations on attorneys regarding confidentiality and technology.

Rule 1.6(c): Reasonable Efforts to Prevent Disclosure

ABA Model Rule 1.6(c) states that a lawyer "shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." This is not a suggestion—it is a mandatory professional obligation. Failure to comply can result in disciplinary action, malpractice liability, and disqualification from representation.

The "reasonable efforts" standard requires attorneys to evaluate the risks associated with their technology choices. Using a cloud-based recording tool for privileged conversations—where the audio is transmitted to, processed by, and stored on third-party servers—may fall short of this standard. The attorney must ask: does this technology introduce unnecessary risks of disclosure, and are there alternatives that would better protect client confidentiality?

Comment 18 to Rule 1.1: Technology Competence

Comment 18 to ABA Model Rule 1.1 (Competence) was amended in 2012 to clarify that competent representation requires lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." This amendment has been widely interpreted as imposing a duty of technology competence on all practicing attorneys.

As of 2025, 42 U.S. states have adopted some version of the technology competence amendment. This means that in the majority of jurisdictions, an attorney who uses a cloud recording tool without understanding its privacy implications may be violating their duty of competence. Ignorance of how a recording tool handles privileged data is not a defense—it is itself a violation.

State Bar Opinions on Cloud Technology

Numerous state bar associations have issued ethics opinions addressing attorneys' use of cloud technology. The consensus is that attorneys may use cloud services, but only after conducting due diligence on the provider's security practices, understanding the terms of service, and ensuring that reasonable safeguards are in place. For recording tools specifically, this means attorneys should evaluate: where the audio is stored, who has access to it, whether the provider uses the data for training or other purposes, and whether the provider can be compelled to produce the data in response to legal process.

Risk Assessment: Cloud vs. On-Device Recording

The following table compares the privilege and compliance risks of cloud-based recording tools versus on-device recording solutions. Understanding these differences is essential for any attorney who records client meetings, depositions, or case strategy sessions.

The risk differential is clear. For any conversation protected by attorney-client privilege, on-device recording eliminates the most significant threat vectors: third-party access, subpoena exposure, and the privilege-waiver argument that sharing with a cloud provider constitutes disclosure to an unnecessary third party.

On-Device Recording as the Privilege-Safe Alternative

On-device recording fundamentally changes the privilege calculus. When audio is captured, transcribed, and stored entirely on the attorney's own device, the third-party doctrine concern evaporates. There is no cloud upload, no external server, no third-party company with access to the data. The recording remains under the attorney's direct control—the same level of control that applies to handwritten notes locked in a filing cabinet.

Eliminating the Third-Party Doctrine

The strongest argument against cloud recording of privileged conversations is that it constitutes voluntary disclosure to a third party. On-device recording removes this argument entirely. The audio never leaves the device. No third party ever receives, processes, or stores the privileged communication. From a privilege analysis perspective, the recording is no different from the attorney's own memory of the conversation—it is a work product under the attorney's exclusive control.

No Cloud Upload, No Subpoena Target

If privileged recordings exist only on the attorney's device, there is no cloud provider to subpoena. Opposing counsel cannot send a subpoena to a server that does not exist. The only way to obtain the recording is through a discovery request directed at the attorney or client, where privilege can be properly asserted and adjudicated through normal legal channels.

No Meeting Bot, No Third Party in the Room

On-device recording eliminates the meeting bot entirely. There is no additional participant joining the call, no external entity capturing the audio stream, and no visible indicator to opposing parties that a third-party service is present. The recording is simply a function of the attorney's own device—analogous to taking notes on a laptop during a meeting.

Meetly for Law's 6-Layer Privacy Stack

Meetly for Law is purpose-built for this exact use case. Its 6-layer privacy stack ensures privileged communications remain privileged: (1) on-device audio capture with no cloud upload, (2) local transcription powered by Apple's on-device speech recognition, (3) on-device storage with no external sync, (4) optional AI summaries where only the transcript text—never the audio—is sent directly from the device to the LLM provider, (5) no account or login required, meaning zero user metadata is collected, and (6) no Meetly servers in the data flow, eliminating the company itself as a potential disclosure vector.

Best Practices for Recording Legal Meetings

Even with on-device recording, attorneys should follow best practices to ensure that privilege is preserved and that recordings are conducted ethically and legally.

1. Get Informed Consent from All Participants

Before recording any meeting, inform all participants that the conversation will be recorded. This is not just an ethical obligation—it is a legal requirement in many jurisdictions. Failure to obtain consent can result in criminal liability under federal wiretapping laws and state equivalents, regardless of whether the recording tool is cloud-based or on-device. Document consent in writing when possible.

2. Document Your Recording Policy in Engagement Letters

Include a recording policy in your engagement letter or retainer agreement. Specify that meetings may be recorded for accuracy and documentation purposes, describe the technology used (on-device recording with no cloud upload), and explain how recordings will be stored and protected. This creates a clear record that the client consented to the recording and understood the privacy safeguards in place.

3. Use On-Device Storage Only

For privileged conversations, restrict recordings to on-device storage. Do not upload recordings to cloud storage services like Google Drive, Dropbox, or iCloud. Do not email recordings. Do not share them via messaging apps. Every time a privileged recording leaves the attorney's direct control, it creates a new potential waiver argument. Treat recordings with the same care you would treat the most sensitive document in a client's file.

4. Maintain a Privilege Log

Keep a detailed privilege log for all recorded meetings. For each recording, document the date, participants, subject matter, the basis for privilege (attorney-client communication, work product, etc.), and the storage location. A well-maintained privilege log strengthens your position if the recording is ever the subject of a discovery dispute and demonstrates the diligence required under Rule 1.6.

5. Review State-Specific Consent Laws

Recording consent laws vary significantly by jurisdiction. Eleven U.S. states require all-party consent (also called two-party consent), meaning every participant must agree to the recording. These states include California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, and Washington. The remaining states follow one-party consent rules, where only one participant in the conversation needs to consent. For interstate calls, the stricter standard typically applies. Always verify the applicable consent requirements before recording.

6. Choose Tools That Meet the "Reasonable Efforts" Standard

When selecting a recording tool, evaluate it against the ABA Rule 1.6(c) "reasonable efforts" standard. Ask: Does the tool transmit audio to external servers? Does the provider have access to my recordings? Can the provider be compelled to produce my data? Does the tool inject a bot or third party into the meeting? Does the provider use recording data for training or analytics? If the answer to any of these questions is yes, the tool may not meet the reasonable efforts standard for privileged conversations.

7. Conduct Regular Security Audits of Recording Tools

Technology changes rapidly. A tool that was secure six months ago may have changed its terms of service, added new data-sharing features, or experienced a security incident. Conduct regular audits of your recording tools—review the provider's privacy policy, terms of service, and security practices at least annually. Document these audits as part of your firm's information security program. This ongoing diligence is part of the "reasonable efforts" obligation under Rule 1.6(c).

When NOT to Record

Even with the most secure recording technology, there are situations where recording is inappropriate, prohibited, or strategically inadvisable.

• Grand jury proceedings: Federal Rule of Criminal Procedure 6(e) strictly prohibits unauthorized recording of grand jury proceedings. Violations can result in contempt charges and criminal penalties. This prohibition applies to all participants, including attorneys.
• Certain judicial conferences: Many courts prohibit recording of in-chambers conferences, settlement conferences, and mediation sessions. Check local court rules before recording any judicial proceeding. Some judges issue standing orders prohibiting electronic devices in certain contexts.
• When opposing counsel objects and no court order exists: If opposing counsel objects to recording during a deposition or meeting and there is no court order authorizing the recording, it is generally prudent to cease recording. Continuing to record over objection can create grounds for sanctions and may antagonize the tribunal.
• Mediation and arbitration with confidentiality agreements: Many mediation and arbitration agreements include strict confidentiality provisions that prohibit recording. Violating these provisions can void the proceeding or result in sanctions.
• When the recording could create adverse discoverable evidence: Consider whether the recording might capture strategically sensitive discussions—case strategy, candid assessments of case weaknesses, or settlement authority. Even privileged recordings can become discoverable if privilege is inadvertently waived. Exercise judgment about when the value of having a recording outweighs the risk.